Survey of CMS use on Virginia School District Websites

I recently had a need to get some hard data on the use of Content Management Systems . What I found was, what most anyone working in K12 would expect, a majority of schools are using 3rd parties services to host their sites. This trend of outsourcing the public websites parallels the trend in K12 to move other “line of business” applications  applications that store and manage student information to “the Cloud”.

To create the data I took the information provided on the Virginia department of education’s website and examined the headers and page code to look for “markers” of well known content management systems(CMS)

More than 57% use a CMS that is built and marketed primarily to the K12 market. (not including Google Sites) and 38.52% of all VA districts are either Blackboard’s Centricity, or School Messenger’s Presence systems.




FERPA, COPPA and the myths we tell each other

This Sunday is Data Privacy Day., so I thought I would list some of the more “interesting” interpretations I have heard (and read) about COPPA, FERPA and how schools approve educational services.

I eventually plan to write up an annotated version of this list, so if you have additions, please tweet them to me @jsiegl


Laws and Consent: COPPA, FERPA et al.

  1. If a vendor says they are “FERPA compliant”, that means something,
  2. A vendor can designate themselves as a “school official” by saying so in their terms.
  3. If an online services requests “only” directory information to sign up, it is OK for schools to sign students up, or have them sign up.
  4. If it involves student health information, you have to comply with HIPAA,
  5. COPPA covers information collected about children under 13,
  6. If the student is 13 or over, as a teacher, I don’t need to get parental consent,
  7. “COPPA compliant” means the information is kept private,
  8. As a vendor, you can comply with COPPA if you just say “this site is not for children, if you are under 13 you may not access this site” , regardless of anything else,
  9. It is a valid COPPA workaround for a vendor, in their terms, to tell a teacher that to comply with COPPA, for them to sign up the student, or create an account using their email address,
  10. Vendors can say in their Terms of Service that schools are responsible for complying with COPPA.
  11. “In Loco Parentis” means schools/teachers can consent to students use of any online services on parent’s behalf,
  12. I only have to get permission if I am creating student accounts/the student is logging in,
  13. Vendors can delegate collecting and managing parental permission to schools even if the school is not “contracting with the vendor to perform an educational purpose”,

Privacy Policies

  1. A privacy policy means the site protects your privacy,
  2. If it is in the vendor’s policy/terms, then it must be true,
  3. Not private by default is fine, because students and teachers can just change it to be private,
  4. A tool that only offers the option of public posting is OK as long as you get permission, (“privacy as a premium”)
  5. Related-A tool that only offers the option of public posting is OK as long as long as students are over 13…., (“privacy as a premium”)

Security and Confidentiality

  1. It does not matter if a password protected site is secure if it does not collect any sensitive data.
  2. If the site uses https, it means the product is secure,
  3. “Security by obscurity” is security,
  4. Student IDs are not confidential, so are a good choice for student usernames/email addresses,
  5. Student IDs are not confidential, and can be used to pay for lunches or to post grades,
  6. Anonymized and Aggregated data are the same thing,
  7. Anonymous and Pseudonymous are the same thing,
  8. Related-Creating Pseudonymous accounts (e.g. usernames that do not have the student’s full name or ID) is a valid “workaround” to avoid the challenges of complying with FERPA or COPPA,

3rd Party Data Collection and Signon

  1. Ad networks and data brokers are same thing,
  2. Related-Ad networks sell or trade user data
  3. Ad networks and analytics are same thing,
  4. Social Login, (that “Login with X” button e.g. twitter, O365, Google Facebook etc.) means you are just logging in and not really creating an account on the site,
  5. Related-“Login with X” means that you are “just” creating an account,

Happy Data Privacy Day

Plagiarism, Precedence and the Agora Letter

Earlier today the US Department of Education released a letter outlining their findings against Agora Cyber Charter schools. The letter, and Future of Privacy Forum’s commentary are worth devoting some quiet time to parse through.  The primary evidence for Dept. of Ed’s finding of Agora’s violation of the parent’s FERPA rights was based on the requirement that the parent consent to K12’s terms of service, and specifically this sentence

“…you grant <vendor> and its affiliates and licensees the right to use, reproduce, display, perform, adapt, modify, distribute, have distributed, and promote the content in any form, anywhere and for any purpose.”

It appears that K12 has since updated their terms to add a qualifying clause.” ..only to the extent consistent with the Family Educational Rights and Privacy Act;” on their main site as well as the related sites of fueleducation and icademy.

Two things struck me as significant about this clause that have not yet been part of the discussion.

First is that like most language in Privacy Policies and Terms of Service, the language is not unique. A simple Google search for this exact phrase turns up 597 results (with a startlingly high concentration in the racetrack industry) .  Anyone that spends a lot of time reading through vendor policies knows that there is a lot of copied content. One of the first things I do when evaluating a new product is to pick three sentences at random from a policy and google them.

Why does this matter? When the content of privacy policy does not originate from the creator of the product it raise questions as to if the terms accurately reflect the behavior of the vendor. Even with just a cursory web search for the clause, I found the phrase in use on six sites in the education sector.

Second, is that the parent had to accept a set of terms and conditions for a vendor that was presumably operating within the framework of the “School Official” exception of FERPA, meaning among other things, that they are under the direct control of the school.

If a vendor can have a valid agreement on the use of data with a parent separate from the agreement with the school, it raises several questions.

  • If they contradict, does this break their status as a valid “school official”?
  • In the absence of any other evidence, does one take precedence over the other?
  • Did the agreement with the school contain any language about precedence?

An example of how one large Edtech vendor attempts to deal with the issue of conflict and precedence of terms is seen in Google’s G Suite for Education privacy notice.

“Where there are terms that differ, as with the limitations on advertising in G Suite for Education, the G Suite for Education agreement (as amended) takes precedence, followed by this Privacy Notice and then the Google Privacy Policy.”

Determining if a vendor’s terms accurately reflect their practice and untangling conflict between school and end user terms are not simple questions and they don’t have simple answers. I look forward to the conversations our industry will be having over the next few months in light of the Agora letter.

Common Sense Media Misses the Mark on COPPA

Recently Common Sense Media posted a summary of COPPA, the Children’s Online Privacy Protection Act, and unfortunately the piece had a number of fundamental misunderstandings about this key piece of privacy legislation.

Schools rightfully have a high regard for the information that Common Sense education publishes about student safety and digital citizenship, and are likely to presume that all of the privacy content from the education group is of similar quality. That is not always the case for privacy information. I know Common Sense Media has several very knowledgeable experts on data privacy and it is unfortunate that this expertise does not always seem to be used when editorial information on privacy is published.

First the article refers to COPPA as “a law dealing with how websites….collect data and personal information about kids under the age of 13.” This is incorrect, COPPA deals with information collected from children under the age of 13. (By contrast FERPA covers data directly about a student, maintained by the school or school’s agent).

Second, in listing three things about COPPA, the article states that under COPPA a vendor must “Not use kids’ data for marketing-related purposes.” COPPA says no such thing, in fact COPPA specifically provides mechanisms where parents approve this collection and use-that is kind of the whole point of COPPA.

Lastly the article suggests that “COPPA compliance might depend more on how teachers and students actually use the tool at the classroom level”. There is no basis in the COPPA regulation or FAQ that would give the impression that COPPA compliance is dependent on individual use. Determination is based on if a site is “child directed” or if the vendor has actual knowledge.

Rather that citing any primary sources on COPPA, the article attempts to summarize a very complex point about school consent made in EdWeek’s “COPPA and Schools: The (Other) Federal Student Privacy Law, Explained.”  In doing this it fails and ends up providing misleading information through incomplete summarization.

What Do Schools Really Need to Know About COPPA?

  1. Schools should think of COPPA as a subset of their overall privacy responsibilities.  I would argue that schools should prioritize overall privacy for students of all ages, and compliance with FERPA. There are few cases where paying attention to this would not also aid in the schools’ role in vendors’ COPPA compliance.
  2. There are only a very narrow set of circumstances where a school can provide consent on behalf of the parent (for COPPA) and they are described in the COPPA FAQ as
    • Where the school is contracting for a service solely for the benefit of their students and for the school.
      • In my opinion, contracting means there is a legal and direct relationship between the school and the vendor and would likely not mean cases where the student signs up directly with the vendor and the school has no control and solely for the benefit means among other things, no commercial use
    • The operator has provided the school with all the notices required under COPPA, including a description of the types of personal information collected and  full notice of its collection, use, and disclosure practices. Based on these notices, the school should be able to answer these questions
      • What types of personal information will the operator collect from students?
      • How does the operator use this personal information?
      • What measures does the operator take to protect the security, confidentiality, and integrity of the personal information that it collects?
      • What are the operator’s data retention and deletion policies for children’s personal information?
      • Does the operator use or share the information for commercial purposes not related to the provision of the online services requested by the school? For instance, does it use the students’ personal information in connection with online behavioral advertising, or building user profiles for commercial purposes not related to the provision of the online service? If so, the school cannot consent on behalf of the parent.
      • Does the operator enable the school to review, prevent further collection and have deleted the personal information collected from their students? If not, the school cannot consent on behalf of the parent.





Privacy Differences between Consumer Gmail and G Suite for Education

Updated 2/4/2018:  Based on requests, I am providing a version of this information under creative commons licence that districts can copy and add their district specific settings and provide to their community. 

Updated on 12/19/2017 based on feedback and corrections from Kim Nilsson

This is a question that comes  up quite frequently. There are significant differences between the consumer Google accounts that are familiar to many parents, and the G Suite for Education accounts that are used in schools. Two significant differences are in the My Account settings and in Google search results.

Schools may also find it helpful to refer to Google’s suggested Notice template for schools when gathering parent or guardian consent and to this page for the privacy practices for specific Google services

User Data Collection settings in User Dashboard and My Account

The Google Dashboard allows the user to see and manage the data in their Google Account. The “My Account” link under the user profile provides users the ability to review their account settings, and view and manage collected data. There are additional settings and activity views under the more-activity page. There are significant differences in the data collected between consumer Gmail and G Suite for Education accounts. Additionally, G Suite for Education administrators must manually enable non-education Google services. If a service (e.g. Google + or Blogger) is not enabled by the G Suite Admin, the user see will the following message and will be unable to access the service.

The following table compares the differences in the My Account settings between consumer and G Suite accounts.


Category Consumer Accounts G Suite for Education Accounts
Security Checkup Available Available
Privacy Checkup Available Available
Find Your Phone(details) Available Available
Signing in to Google
Sign in with your Phone Available Feature requires the following to be enabled by the G Suite Admin

Web & App Activity

Google Now for iOS and Android
Device Management->
Advanced Settings->
Other Google Services

Also requires the Google app for mobile be installed

Change Password Available/User Editable Available (See Note 1)
2-step verification Available Available (See Note 2)
Account recovery options
Recovery eMail Available/User Editable Available if enabled by Admins  (See Note 1)

Note This feature is  not an option if domain is using  Single Sign-On (SSO) or G Suite Password Sync. It also doesn’t work for users under the age of 18.

Recovery Phone Available/User Editable See above
Security Question Available/User Editable See above
Device Activity & Notifications
Recent security events Available Available
Recently used devices Available Available
Apps with access to your account

these are 3rd party services that the USER has given permission to access their account

Available/User Editable Available/User Editable
Saved passwords Available/User Editable Requires the Chrome Sync service to be enabled by the G Suite Admin for the user(G Suite Core).

more info

Allow less secure apps Available/User Editable This setting is managed by the district Admin.

more info

Personal Info and Privacy
Name Available/User Editable Editable by the G Suite Admin. Typically synced from a directory of student information system. There is a setting in the Admin control panel to allow/disallow users from editing their name
NickName Available/User Editable Editable only if Google + is enabled by the G Suite Admin for the user.
User Photo

Gmail setting

Available/User Editable Available/User Editable

There is a setting in the Admin control panel to allow/disallow users from editing their photo

Phone Available/User Used with Hangouts, Google voice or an android device Present if the user has provided a phone # and is enabled (e.g. when verifying an installed  mobile app)
Birthday Available/User Editable Required for G+ service

There is a setting in the Admin control panel (Directory) to allow/disallow users from editing their birthday.

For Education domains, birthday is never editable by end users except for in the Google+ upgrade flow, where it is always editable.

Birthday is only shown to people the user connects with on Google. Private by default, sharing is controlled in the about me settings

Gender Available/User Editable Required for G+ service

There is a setting in the Admin control panel (Directory) to allow/prevent users from editing their gender

By default, gender isn’t shared with other people who use Google services

About Me Available/User Editable Some information is restricted from editing
Google + Settings Available/User Editable Data and setting is user editable only if G+ is enabled for user by the G Suite Admin. This is not permitted for users under 13

There is an Admin option to automatically create G+ profiles for users

Shared Endorsements Available/User Editable Data and setting not present in G Suite for Education. Google does not use shared endorsements for G Suite accounts. G Suite Users will see a message saying “The setting you are looking for is not available for your account”
Blocked Users Available/User Editable The Blocked Users option appears if ANY of the following services are enabled for the user by the G Suite Admin:

-Core: Hangouts

-Non-Core: Google+, Photos, Maps, YouTube

See here for details

Location Sharing Available/User Editable OFF by default

Requires Location History service. This is a non-core service which is off by default and must be enabled by the district Admin

Search Settings Available/User Editable OFF by default

Editable, but SafeSearch is frequently managed by district DNS settings, chromebook policies, content filters or other means and not editable in those cases

Additionally, Google does not display ads or collect search data from Google searches from users that are signed in to a G Suite for Education account

Manage your Google activity
Activity controls
Web & App Activity Available/User Editable

OFF by default

Web & App Activity stores your searches and other things you do on Search, Maps and other Google services, including your location and other associated data.
When Web & App Activity is on, this data may be saved from any of your signed-in devices.

OFF by default

Requires the Web and App activity service (including Chrome browsing history) This is a non-core service which is off by default and must be enabled by the district Admin

The screen has a setting: “Include Chrome browsing history and activity from websites and apps that use Google services”

This additional setting cannot be enabled in G Suite for Education domains as indicated by the message

“Based on your organization, this setting is disabled.”

Note this is not the same as the LOCAL browser history that may be stored on a user’s computer

 YouTube Search History  Available/User Editable

ON by default

Requires YouTube service which must be enabled by the Admin

This is enable ON by default if YouTube is enable and the user creates an account

 YouTube Watch History  Available/User Editable

ON by default

Requires YouTube service which must be enabled by the Admin

This is enable ON by default if YouTube is enable and the user creates an account

Device Information

Device Information privately stores your contacts, calendars, alarms, apps, music, movies, books, and other content. It also stores the status of your devices – for instance, whether the screen is on, the battery level, the quality and duration of network connections like Wi-Fi and Bluetooth, touchscreen and sensor readings, and crash reports. Information is visible only to the user

more info 

Available/User Editable

OFF by default

When this setting is on, information may be saved from any device that uses your Google Account

User can review and delete information

Available/User Editable

OFF by default

When this setting is on, information may be saved from any device that uses your Google Account

User can review and delete information

Location History


Available/User Editable OFF by default

Requires Location History service which must be enabled by the Admin

Can be enabled by the user. User can review and delete data

Voice & Audio Activity

Activity from “OK Google”

Available/User Editable

OFFby default

OFF by default

Can be enabled by the user. User can review and delete recordings

Review activity
My Activity Available

My Activity show all activity collected based on the user’s settings for the following

-Web & App Activity
-Device Information
-Voice & Audio Activity
-YouTube Search History
-YouTube Watch History
-Location History
-Google Play Sound Search History
-YouTube “Not interested” feedback
-YouTube survey answers
-Google Place answers



Available data is YouTube watch and search data and depends on the non-core  YouTube service which must be enabled by the Admin
Timelines in Google Maps Available/User Editable Requires the non-core location history service which is disabled by default in G Suite for Education and must be enabled by the Admin
Google Dashboard Available/User Editable Available

Allows view, manage, export and delete data for many google services

Ads Settings
Ads Settings Available/User Editable Disabled and not possible to enable for G Suite for Education accounts. The user will see the following message when going to the settings page

“Ads Personalization is turned off for this Google Account – The option to personalize ads in Ads Settings is turned off for this account. That means that Google doesn’t use any information associated with this Google Account to target ads while you’re signed in to this account.”

Control your content
Download Your Data Available Requires the non-core Google Takeout service to be enabled by the G Suite Admin
Transfer your content Available Requires Google Takeout service , as well as an additional Takeout checkbox setting and requires external sharing to be enabled by the G Suite Admin in the settings for Google Drive
more info 
Assign an account trustee Available Not available for G Suite for Education accounts
Account Preferences
Payment Center Available Requires the non-core Google Payments service to be enabled by the G Suite Admin
Subscriptions Available Requires the non-core Google Payments service to be enabled by the G Suite Admin
Payment Methods Available Requires the non-core Google Payments service to be enabled by the G Suite Admin
Language & Input Tools
Language Available/User Editable Available/User Editable
Input Tools Available/User Editable Available/User Editable
Screen Reader Available/User Editable Available/User Editable
High Contrast Colors Available/User Editable Available/User Editable
Your Google Drive storage

Informational only, total storage in account

Available Available (Note that G Suite for Education accounts have unlimited storage)
Delete your account or services
Delete Products Available to delete Gmail, YouTube, Google +

Provides link to download data

Deleting Gmail is not an end-user option. Accounts can only be deleted or suspended by G Suite admin. User can delete profile data for YouTube, Google +. Deleted data is removed from Google systems-more detail is here

Provides link to download data

Google Search Advertising and Tracking

Another key difference between consumer Google accounts and G Suite for Education accounts is the data collection and use in Google Search for signed in users. The screenshot below shows a consumer account’s search results for the term “Lego”. The page shows two ads shown before the actual search results and a sidebar of results from Google’s shopping service.

By contrast, the following screenshot shows a G Suite for Education account’s search results for the term “Lego”. The results show no ads and the sidebar includes only the “info box” for the Lego company and no results from Google’s shopping service




1-Admins can enable this password recovery option see this. If the district is syncing passwords via GAPS or using SAML, the user may have similar capabilities

2-Users can opt-in to 2 step verification.  Admin can also require 2 step verification for specific accounts see here for details.



G Suite Accounts: Testing was conducted using a 4 newly created accounts from a non-production G Suite for Education domain (each account had a variety of services enabled from only minimal Core G Suite services, not including hangouts or groups to an account with all core and non core services enabled and

Gmail Accounts: Testing was conducted with two accounts one newly created and one in active use for several years.


Google Adds Chrome Sync to gSuite for Education Core Services

Recently Google quietly made a change to include “Chrome Sync” in the list of “Core” tools in gSuite for Education. Chrome Sync provides the ability (when you sign in to Chrome or by default on a Chromebook), to sync Chrome data to your Google Account and to any other supported ChromeOS/browser that is signed in. Synced data includes chrome apps, autofill settings, bookmarks, chrome extensions, browser history, passwords, chrome settings, themes, wallpaper, open tabs and google payment data*

This change should provide official clarity as to how data in Chrome Sync is used, as described in the Education Privacy Notice.

This change also provides an opportunity for District g Suite Admins to remind users that they have the option to add an additional layer of privacy by setting a Chrome Sync passphrase. A sync passphrase encrypts all synced data at rest. If you set a passphrase, you can use Google’s cloud to store and sync your data without letting Google read it.

Users also have the ability to selectively disable syncing of some or all of elements that are synced.

The G Suite Services Summary page now includes the following text:

G Suite for Education” is an edition of G Suite comprised of the G Suite Core Services, excluding Google+ and Google Cloud Search. …. This edition also includes Classroom and Chrome Sync as G Suite Core Services.

  • Classroom” is a web-based service that allows End Users to create and participate in classroom groups. Using Classroom, students can view assignments, submit homework, and receive grades from teachers.
  • Chrome Sync” is a feature that allows End Users to synchronize bookmarks, history, passwords, and other settings across all the devices where they are signed in to Chrome.

And the G Suite for Education Core and Services Admin help page is updated to say:

G Suite Core Services are Gmail (including Inbox by Gmail), Calendar, Chrome Sync, Classroom, Contacts, Drive, Docs, Forms, Groups, Sheets, Sites, Slides, Talk/Hangouts and Vault.

Prior to this change, Google offered this statement, about the use of Chrome Sync data in response to a request for information from Sen. Al Franken.

Users who have Chrome Sync enabled (whether on a Chromebook or using the Chrome
browser) will have additional information about their browser settings stored in their Google Account, including browsing history, any saved apps, extensions, bookmarks, and passwords. ….. If any of this data is associated with a student’s GAFE account — which is the case when a student is logged into a Chromebook with Chrome Sync enabled with their GAFE account — we consider this data to be the student’s personal information and do not use it to target ads.

Google stated that it “collects, maintains, and uses information via Chrome Sync (in aggregated and anonymized form) for the purpose of improving Google products”. For context, this is comparable to similar language and use by Apple who states that …

“We may collect and store details of how you use our services, including search queries. This information may be used to improve the relevancy of results provided by our services”

And with Microsoft’s Cortana service, which states that

“Microsoft uses your voice data to improve Cortana’s understanding of how you speak to keep improving Cortana’s recognition and responses, and to improve other Microsoft products and services that use speech recognition and intent understanding”


*Google payment data is a non-core service, only available to users 13 and older. Schools are required to get parental permission if this is enabled for users 13-18.


Google Notifies K12 Admins of Upcoming Changes to enabled “Additional Google Services”

I have previously written about gSuite for Education and the number of non-core services that are enabled by default when a school sets up their domain. I have not had a chance to retest what services are still enabled by default when creating a new domain, but I did want to acknowledge that Google recently notified existing K12 admins that unless they opt out, Google will change their settings and turn off approximately 1/2 of the non-core services on August 1st, 2017. Admins can re-enable the services manually.

The list of services to be turned off appears to correspond with the list I noted in Jan. 2017 and is good partial step to helping K12 admins tighten down their domains for apps outside the core set of gSuite tools and it provides a end of school year reminder that schools need to be getting permission, and I would also add,  going back to parents to get permission for services that were turned on by default.



Services settings changing for G Suite for Education on Aug 1, 2017

In addition to our core G Suite productivity tools like Gmail, Docs, and Classroom, Google makes some of our Additional consumer services available to our G Suite for Education users. These services are used by our G Suite for Education customers to support their educational missions. We want to ensure that other Google services that are not designed for students, such as advertising management services, are not accessible to these users without careful consideration from administrators and parents. You can read more about our commitment to privacy and security here.

To keep G Suite for Education focused on the right services for most schools, we will disable the set of Additional services below on <your domain’s> G Suite for Education account on Aug 1, 2017, unless you choose to control your users’ access to these services yourself below.

Note that you are receiving this message because you are either a K-12 school in our system or your domain has no school type in our system. In order to receive better-targeted communications in the future, please set your school type here. Learn more

Here are the services that will be disabled for your domain:


Note that some of these services may already be disabled for your users. See your configuration.

If you choose to control services yourself and opt-out of having these services disabled automatically, your institution must ensure, for each of these services you choose to keep on, that:

  • you are enabling the service for educational purposes;
  • you are not enabling the service for any user under the age of 13 (learn more about using managing access for different users in our Help Center);
  • your organization has obtained parental consent for any users between 13 and 18 years old to use the service. Our Help Center has more information and resources for Getting consent for G Suite for Education.

Note that there might be other requirements in countries and communities around the world. Learn more.

You may choose to keep these services enabled for specific organizational unit, and disable them for others, depending on your needs. For new services that are added by Google in the future, please see the ‘New Products’ setting on the Company Profile page. Learn more

Choose what is right for you: